Query Details
Aad Audit Event From First Party Apps
Query
// Get a list of first party apps from Entra ID Audit Log with summarized operations
_GetWatchlist('WorkloadIdentityInfo')
| where IsFirstPartyApp == "True"
| extend Identity = tostring(AppDisplayName)
| join kind=inner ( AuditLogs
| where TimeGenerated >ago(365d)
) on Identity
| summarize make_set( OperationName ) by AppDisplayName, ServicePrincipalObjectId, AppIdExplanation
This query retrieves a list of first-party apps from the Entra ID Audit Log and summarizes their operations. It filters the apps based on whether they are first-party apps, joins the results with the AuditLogs table, and then summarizes the operations by the app's display name, service principal object ID, and app ID.
Details
Thomas Naunheim
Released: February 16, 2024
Tables
_GetWatchlistAuditLogs
Keywords
GetWatchlist,WorkloadIdentityInfo,IsFirstPartyApp,AppDisplayName,AuditLogs,TimeGenerated,summarize,make_set,OperationName,ServicePrincipalObjectId,AppId
Operators
GetWatchlistwhereextendjoinkindsummarizemake_set